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The  Legislative  Audit  Committee 
of  the  Montana  State  Legislature: 

This  is  our  EDP  audit  of  the  Department  of  Transportation's  internal  con- 
trol relating  to  its  computer-based  systems.  We  reviewed  the  department's  general 
controls  as  they  relate  to  the  data  processed  on  the  state  mainframe  and  the  depart- 
ment's minicomputers.   In  addition,  we  reviewed  four  of  the  department's  major 
computer  applications:  CARES,  On-line  Claims,  Construction  Progress  Estimate, 
and  Billing  Voucher.  This  report  addresses  the  control  weaknesses  we  identified  in 
the  Department  of  Transportation's  EDP  control  systems.  The  department's 
written  response  to  audit  recommendations  is  included  in  the  back  of  the  report. 

We  thank  the  director  and  department  personnel  for  their  cooperation  and 
assistance  throughout  the  audit. 


Respectfully  submitted, 


ott  A.  Seacat 
Legislative  Auditor 


Office  of  the  Legislative  Auditor 

EDP  Audit 


Department  of  Transportation 


Members  of  the  audit  staff  involved  in  this  audit  were  CD  Avery,  Mary 
Bryson,  Jerry  Kozak,  Maureen  G.  McHugh,  Paul  J.  O'Loughlin,  and  Jill 
Olson. 
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Introduction 


Our  EDP  audit  determined  if  the  department  properly  protects, 
maintains,  and  preserves  the  integrity  of  data  in  its  computer- 
based  information  resources.   We  reviewed  the  adequacy  of  the 
department's  implementation  of  general  and  application  controls, 
A  discussion  of  the  general  and  application  controls  is  included 
on  pages  1  and  2.  The  objectives  and  scope  of  the  audit  are 
discussed  on  pages  2  and  3  of  the  report. 


The  Department  of  Transportation  maintains  a  diverse  computer 
environment.   The  department  owns  and  operates  over  15  mini- 
computers and  a  large  number  of  networked  microcomputers. 
Each  communicates  directly  with  the  state  mainframe.   The 
department  supports  38  mainframe  and  over  490  mini/micro 
applications. 

Overall  our  EDP  audit  identified  weaknesses  in  the  department's 
establishment  of  general  and  application  controls.  The  weak- 
nesses we  identified  impact  the  integrity  of  data  maintained  on 
the  systems  and  the  long-term  usefulness  of  the  department's 
computer-based  information. 


General  Controls 


In  our  review  of  the  department's  general  control  environment, 
we  found  organizational  and  physical  controls  were  adequate. 
We  noted  concerns  with  the  general  control  environment  relating 
to  electronic  access,  data  procedural  controls,  and  system 
development  and  maintenance  procedure  controls. 


Access  Controls 


Access  controls  provide  electronic  safeguards  designed  to  ensure 
computer  system  resources  are  properly  used.   Logon  IDs  and 
passwords  control  access  to  the  department's  computer  systems, 
computer  programs,  and  computer  data.   Access  controls  also 
permit  separation  of  the  input/output  function  and  the  pro- 
gramming function.  The  Input/Output  controller  can  not  alter 
data  or  write  or  change  programs.   Programmers  can  write 
programs,  but  they  should  not  have  access  to  the  data  or  the 
production  programs. 
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Programmer  Access 


The  department's  access  rules  give  programmers  access  rights  to 
master  data  files  of  systems  they  support.   Because  of  this 
unlimited  and  unlogged  access,  the  potential  exists  for  unauthor- 
ized and  untraceable  manipulations  of  critical  information. 
Users  stated  programmers  need  access  to  facilitate  the  system 
support  function.   Programmers  can  support  their  assigned 
systems  without  these  access  rights.   We  believe  the  department 
should  remove  programmer  access  to  master  data  files  or  at  a 
minimum,  log  and  review  programmer  access  to  these  files. 


We  also  found  department  programmers  had  unlimited  access 
rights  in  order  to  backup  the  I/O  function.   As  a  result,  pro- 
grammers can  and  do  submit  jobs  when  I/O  controllers  are  not 
available.   Programmer  and  I/O  controller  functions  should  be 
separate.   Allowing  programmers  unlimited  access  to  production 
programs  and  data  files  allows  them  access  to  the  entire  process 
and  increases  the  risk  of  undetected  material  errors  or  irregulari- 
ties.  We  believe  the  department  should  delete  the  universal 
programmer  I/O  access  and  provide  cross  training  to  its  I/O 
controllers. 


Review  of  Access  Rights 


Shared  Logon  IDs  and 
Passwords 


Mainframe  access  restrictions  placed  on  each  application  are 
agreed  upon  among  the  user,  programmer,  and  resource  man- 
ager.  This  agreement  is  documented  and  given  to  the  depart- 
ment security  officer  to  write  the  access  rules.   Once  written, 
these  rules  are  not  reviewed  to  see  if  they  achieve  the  agreed 
upon  access  restrictions.  Our  review  identified  some  rules  that 
did  not  support  or  provide  the  agreed  upon  access.   A  periodic 
review  by  the  department  should  be  conducted. 

A  logon  ID  unique  to  a  specific  computer  user  and  protected  by 
a  password  known  only  to  that  user  provides  a  good  means  of 
limiting  access  to  appropriate  users  and  helps  provide  account- 
ability for  work  done.   We  found  the  department's  use  of  this 
control  is  ineffective  for  two  reasons:    1)  the  department  assigns 
group  logon  IDs,  and  2)  employees  share  their  individual  user 
logon  IDs  with  fellow  employees. 


In  field  locations  the  department  assigns  one  logon  ID  to  user 
groups  at  that  location.   Some  groups  need  to  share  common  files 
to  complete  projects.   This  could  be  accomplished  by  using 
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unique  logon  IDs  for  each  use  and  providing  appropriate  file 
access.   We  also  found  instances  of  employees  working  together 
sharing  the  password  for  their  assigned  logon  ID.   Employees 
share  logon  IDs  and  passwords  so  they  can  help  each  other  with 
their  daily  duties  as  well  as  provide  backup  in  case  of  absences. 
We  believe  this  could  be  better  accomplished  by  establishing 
appropriate  access  assignments  to  each  employee  through  a 
unique  logon  ID. 


I/O  Controller  Responsi- 
bilities 


Department  Input/Output  (I/O)  controllers  submit  production 
run  jobs.   At  the  request  of  the  system  user,  they  submit  the  job 
for  processing;  make  certain  all  the  data  files  are  available; 
resolve  problems  that  come  up  during  processing;  follow  up  on 
data  errors  detected  during  processing;  and  ensure  proper  distri- 
bution of  the  output. 


In  evaluating  the  I/O  controller  responsibilities  and  the  depart- 
ment's implementation  of  procedures,  we  found  the  I/O  manual 
is  incomplete,  I/O  controllers  lack  a  problem  resolution  guide, 
and  they  do  not  adequately  control  output.   We  believe  the 
department  should  update  and  enhance  the  I/O  controller  manual 
and  establish  procedures  for  appropriate  distribution  of 
computer  output. 


System  Maintenance 


Programmers  develop  new  systems  based  on  approved  written 
requests  from  the  user.   When  the  programmer  completes  the 
system,  it  is  documented,  reviewed  and  approved.  Subsequent 
system  enhancements  follow  the  same  procedures.   However,  the 
department  does  not  require  the  same  process  for  maintenance 
changes. 


Although  the  department  does  require  programmers  to  document 
and  report  maintenance  changes  monthly,  no  procedure  exists  to 
ensure  all  maintenance  changes  are  appropriate,  authorized, 
documented,  and  reported  to  management.   Maintenance  changes 
should  be  subject  to  the  same  request  approval,  documentation, 
review  and  approval  corresponding  to  system  enhancements. 
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Contingency  Planning 


Contingency  planning  is  a  basic  element  of  safeguarding  com- 
puter systems  and  information  resources.   Contingency  planning 
involves  collecting  plans,  procedures,  arrangements,  and  infor- 
mation which  are  completed,  compiled,  and  held  in  readiness  for 
use  in  the  event  of  a  disruption  of  normal  activities.   A  con- 
tingency plan  should  be  comprehensive  and  periodically  tested  to 
facilitate  an  adequate  recovery  process. 


We  reviewed  the  department's  contingency/disaster  plan  which 
was  completed  on  June  1,  1990.   We  reviewed  the  plan  to  deter- 
mine if  it  contained  the  minimum  contingency  guidelines  as 
stated  in  section  1-0240.00,  MOM.   Our  review  indicated  the 
department  would  benefit  by  updating  and  testing  the  plan. 


Cost  Accounting  and 
Record  Entry  System 


The  Cost  Accounting  and  Record  Entry  System  (CARES)  derives 
data  from  the  following  six  subsystems:  On-line  Claims,  Payroll 
Subsystem,  Stores  System,  Maintenance  Management  System, 
Equipment  Management  System,  and  Motor  Pool  Management 
System.   To  place  reliance  on  the  data  maintained  in  CARES  we 
examined  input  and  output  controls  for  each  of  the  subsystems. 


On-Line  Claims 


The  Highway  On-line  Claims  System  (HOC)  provides  a  data 
entry  function  which  allows  multiple  users  to  input  transfer 
warrant  claim  information.  The  system  creates  Statewide 
Budgeting  and  Accounting  System  (SBAS)  records  which  are 
remote  job  entered  over  communication  lines  for  transfer  to  the 
Department  of  Administration.   These  revenue  and  expenditure 
records  are  then  used  to  update  SBAS  and  the  Warrant  Writing 
System.  Overall,  we  determined  the  HOC  system  objectives  are 
being  met  and  controls  are  adequate.   However,  we  noted  no 
automated  procedure  exists  for  identifying  duplicate  vendor 
payments.   We  believe  the  department  should  evaluate  an 
automated  system  for  preventing  or  detecting  duplicate  payments 
to  vendors. 
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Payroll  Subsystem 


The  system  controls  payroll  processing  and  personnel  record 
keeping  for  the  department.   Overall,  we  found  input  and  output 
controls  related  to  the  Payroll  Subsystem  are  adequate  to  ensure 
the  integrity  of  CARES  data.   During  our  review,  we  noted  that 
access  to  payroll  and  personnel  records  is  not  limited.   We  found 
all  department  employees  with  user  logon  IDs  have  read  access  to 
the  Payroll  Subsystem.   The  department  should  limit  access  to 
the  payroll  and  personnel  records  to  those  authorized. 


Stores  System 


The  Stores  System  supplies  data  to  CARES  for  inventory  billing 
purposes  and  also  maintains  an  automated  perpetual  inventory 
system.   The  department's  inventory  includes:   equipment  parts, 
road  signs,  gravel,  etc.   Department  personnel  from  headquarters 
and  the  districts  record  inventory  additions  (purchases)  and 
deductions  (usage)  on  this  system.   In  our  review,  we  noted 
stores  personnel  entering  data  were  not  adequately  trained,  the 
manuals  were  not  up  to  date,  and  logon  IDs  were  shared.   In 
addition,  procedures  to  ensure  inventory  purchases  and  usage  are 
properly  accounted  for  were  not  consistently  applied  at  the 
districts.   We  believe  the  department  should  implement 
procedures  to  ensure  the  Stores  System  properly  accounts  for 
inventory  purchases  and  usage  data. 


Maintenance  Management 
System 


The  Maintenance  Management  System  (MMS)  provides  perform- 
ance budgets  and  management  information  regarding  statewide 
highway  maintenance  projects.   The  department  does  not  deter- 
mine the  maintenance  budget  from  MMS  but  uses  the  system  to 
allocate  division  funding  once  a  total  budget  is  established.   In 
our  review,  we  noted  there  was  a  lack  of  supervisory  review 
regarding  the  accuracy  of  MMS  activity  reports  input  to  the 
MMS.   The  department  should  ensure  the  activity  reports  are 
reviewed  prior  to  input  to  the  MMS. 
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implementing  our  audit  recommendations.   The  department 
should  be  commended  for  requesting  an  EDP  audit  and  its 
prompt  implementation  of  our  EDP  audit  concerns. 
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Introduction 


This  is  an  audit  of  internal  controls  relating  to  the  Department  of 
Transportation's  computer-based  systems.  The  department  is 
concerned  with  its  continually  changing  computerized  environ- 
ment and  realizes  the  necessity  of  having  strong  internal  controls. 
The  department  requested  an  electronic  data  processing  (EDP) 
review  of  its  financial  and  management  support  applications  to 
assist  them  in  evaluating  current  internal  controls.  The  Legisla- 
tive Auditor  approved  performing  the  Department  of  Transpor- 
tation EDP  audit. 


EDP  Audit  General  and 
Application  Controls 


An  EDP  audit  consists  primarily  of  a  review  of  internal  controls. 
In  an  automated  environment  the  procedures  for  reviewing  con- 
trols are  different  from  those  used  in  a  manual  environment. 
However,  the  objective  of  ensuring  the  reliability  of  controls  is 
still  the  same.   EDP  auditing  entails  performing  a  general  and  an 
application  control  review.  The  general  control  review  consists 
of  an  examination  of  the  following  controls  and  objectives: 

Organizational  -  No  one  person  should  be  able  to  conceal 
material  errors  or  irregularities. 

Procedural  -  Daily  operations  should  protect  against  processing 
errors. 

Hardware  &  Software  -  Hardware  and  systems  software  should 
indicate  malfunctions  and  maintain  integrity. 

System  Development  -  System  design  and  maintenance  activities 
should  promote  system  control  and  integrity. 

Physical  Controls  -  Loss  or  destruction  of  assets  and  records 
should  be  prevented  and  continuous  operations  should  be 
assured. 

Access  -  Access  to  hardware  and  electronic  information  should 
be  limited  to  authorized  individuals. 

A  general  control  review  provides  information  regarding  the 
ability  to  control  EDP  applications  operating  in  that  environ- 
ment.  Application  controls  are  specific  to  a  given  application  or 
a  set  of  programs  that  accomplish  a  specific  objective. 
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Application  controls  consist  of  an  examination  of  the  following 
controls  and  objectives: 

Input  -  Insure  all  data  is  properly  encoded  to  machine  form  and 
that  all  entered  data  is  approved. 

Processing  -  Insure  all  data  input  is  processed  as  intended. 

Output  -  All  processed  data  is  reported  and  properly  distributed 
to  authorized  individuals. 

A  review  of  the  application  documentation  and  audit  trail  is  also 
performed.   Applications  must  operate  within  the  general  con- 
trols environment  in  order  for  any  reliance  to  be  placed  on  them. 


Audit  Objectives 


The  objectives  of  our  EDP  audit  of  the  Department  of  Transpor- 
tation are  as  follows: 

1.  To  determine  if  the  department  is  properly  protecting  and 
maintaining  its  computer-based  information  resources. 

2.  To  determine  the  adequacy  of  general  controls  including: 
organizational,  procedural,  physical  and  environmental, 
electronic  access,  systems  development  and  disaster 
recovery  controls. 

3.  To  determine  the  adequacy  of  application  controls  over  the 
Cost  Accounting  and  Record  Entry  System  (CARES)  file, 
On-line  Claims,  Billing  Voucher  and  Construction  Progress 
Estimate  Systems,  in  order  to  evaluate  the  adequacy  and 
accuracy  of  data  processed  by  these  systems. 

4.  To  determine  department  compliance  with  section  2- 
15-114,  MCA,  and  state  policy  governing  data  and  infor- 
mation technology,  which  encompasses  computer  hardware 
and  software,  personnel,  and  electronic  data  resources. 


Audit  Scope 
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The  audit  was  conducted  in  accordance  with  government  audit 
standards.  We  measured  the  department's  general  and  applica- 
tion controls  against  criteria  established  by  the  AICPA,  General 
Accounting  Office  (GAO),  and  accepted  industry  EDP  guide- 
lines.  We  reviewed  the  department's  general  controls  as  they 
relate  to  the  department's  data  processing  on  the  state  mainframe 
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and  the  department's  minicomputers.   We  interviewed  depart- 
ment personnel  to  gain  an  understanding  of  the  hardware  and 
software  environment  at  the  Department  of  Transportation.  We 
reviewed  application  development  and  enhancement  documenta- 
tion. In  addition,  we  obtained  studies  on  the  department's  EDP 
systems  performed  by  the  Information  Resource  Manager  and 
the  Office  of  the  Legislative  Fiscal  Analyst.   We  also  obtained 
and  reviewed  EDP  polices  and  procedure  manuals.   We  visited 
field  offices  to  ensure  polices  and  procedures  were  being  imple- 
mented as  intended  by  the  department  headquarters. 

We  conducted  an  application  control  review  of  four  of  the  depart- 
ment's major  EDP  systems  (CARES,  On-line  Claims,  Construc- 
tion Progress  Estimate,  and  Billing  Voucher).   We  reviewed 
input,  processing,  and  output  controls  for  these  systems  to  ensure 
the  systems  are  meeting  their  objectives.  We  also  determined  if 
controls  over  data  are  effective  and  efficient,  as  well  as  adequate 
to  ensure  the  accuracy  of  data  during  the  various  processing 
phases. 


Compliance 


We  determined  compliance  with  applicable  state  laws  and  rules 
and  Montana  Operation  Manual  policies.  The  areas  tested 
included  a  review  of  compliance  with  data  processing  require- 
ments under  section  2-15-114,  MCA.  Generally,  we  found  the 
department  to  be  in  compliance  with  applicable  laws  and  state 
policy. 


General  Background 


The  department  is  responsible  for  the  planning,  layout,  construc- 
tion, improvement,  repair,  and  maintenance  of  state  highways 
and  federal  aid  system  highways.  The  department's  responsi- 
bilities also  include  the  collection  of  fees  and  enforcement  of 
laws  related  to  Gross  Vehicle  Weight  regulations.   Effective 
July  1,  1991,  Chapter  512,  Laws  of  1991,  abolished  the  Depart- 
ment of  Highways  and  created  the  new  Department  of  Transpor- 
tation. The  law  transferred  the  functions  of  the  former  Depart- 
ment of  Highways,  Aeronautics  and  Transportation  Divisions  of 
the  Department  of  Commerce  and  Motor  Fuels  Tax  Division  of 
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the  Department  of  Revenue  to  the  Department  of  Transporta- 
tion. 

The  Department  of  Transportation  is  under  the  direction  of  the 
Highway  Commission  and  the  director.  The  Highway  Commis- 
sion is  composed  of  five  members  appointed  by  the  governor  to 
four-year  terms  with  Senate  confirmation.  The  commission 
determines  construction  priorities,  selects  construction  projects, 
and  determines  the  allocation  of  financial  aid.  It  also  classifies 
highways  as  federal  aid  highways,  primary  highways,  and/or 
off-system  highways  in  the  state  maintenance  system.  The  com- 
mission may  delegate  certain  functions  to  the  director  of  the 
Department  of  Transportation.  The  director  is  appointed  by  the 
governor  and  confirmed  by  the  Senate. 

The  department  was  authorized  1,933.83  full-time  equivalent 
employees  (FTE)  during  fiscal  years  1989-90  and  1990-91. 
Budgeted  expenditures  and  transfers  out  were  $31 1,252,894  in 
fiscal  year  1989-90  and  $342,407,529  in  fiscal  year  1990-91. 
During  the  audit  the  department  maintained  nine  programs: 
General  Operations,  Construction,  Maintenance,  Preconstruction, 
State  Motor  Pool,  Equipment,  Interfund  Transfers,  Stores  Inven- 
tory and  Gross  Vehicle  Weight. 

The  Information  Services  Bureau,  of  the  Support  Services  Divi- 
sion, which  consists  of  35  FTE,  manages,  plans,  and  approves 
the  department's  long-term  strategies  centered  on  computer 
equipment,  software,  and  data  network  resources.  The  bureau 
also  defines  system  application,  programming,  and  enhancement 
standards  for  computerized  applications.   In  addition,  it  estab- 
lishes policy  and  procedures  to  ensure  quality  control  of  services 
and  security  of  computerized  resources. 

The  Department  of  Transportation  maintains  a  diverse  computer 
environment.  The  department  owns  and  operates  13  IBM 
Series  I  minicomputers,  a  Vax  785  minicomputer,  and  a  Micro- 
Vax  2000  minicomputer.  The  Series  1  minicomputers  each  com- 
municate directly  with  the  state  mainframe.  The  Vax  equipment 
is  networked  together  with  a  gateway  to  the  state  mainframe. 
Microcomputers  and  terminals  on  the  network  may  communicate 
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with  any  of  the  equipment  on  the  network  and  the  state  main- 
frame. In  addition,  some  microcomputers  use  communication 
software  to  communicate  directly  with  district  offices. 

The  department  supports  38  mainframe  and  over  490  mini/micro 
applications.  Mainframe  applications  include  Payroll  and 
Personnel  System,  Billing  Voucher,  Progress  Estimate,  etc. 
Microcomputer  and  minicomputer  applications  include  accounts 
receivable,  cash  forecasting,  project  complaints,  etc. 
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Introduction  General  controls  are  developed  by  the  computer  user  to  protect 

assets  and  limit  losses.  In  our  review  of  the  Department  of 
Transportation's  general  control  environment  we  found  that 
organizational  and  physical  controls  were  adequate  and  noted 
weaknesses  in  electronic  access  assignments,  data  procedural 
controls,  and  system  development  and  maintenance  procedure 
controls.  These  issues  are  discussed  in  the  following  sections. 


Access  Controls  Access  controls  provide  electronic  safeguards  designed  to  ensure 

computer  system  resources  are  properly  used.   Logon  IDs  and 
passwords  control  access  to  the  department's  computer  systems, 
computer  programs,  and  computer  data.  System  and  application 
programmers  have  the  highest  degree  of  technical  expertise  in 
the  computer  processing  facility  and  therefore  they  play  an 
important  role  in  maintaining  the  system.   However,  managers 
have  the  primary  responsibility  for  maintaining  adequate  con- 
trols. To  ensure  system  integrity,  management  should  install 
appropriate  controls  which  may  require  some  trade-off  of  system 
performance. 

The  department's  security  officer  writes  rules  which  limit  access 
to  specific  areas  of  the  system.  Assigning  limited  access  based 
on  job  duties/requirements  also  facilitates  checks  and  balances  in 
the  system.   This  approach  prevents  users  from  inadvertently  or 
willfully  executing  programs  or  changing  data  unrelated  to  their 
job.   In  the  case  of  programmers,  access  to  programs  would  be 
authorized  and  access  to  data  would  be  denied.   Programmers 
can  also  be  prevented  from  executing  the  programs  they  have 
written.   In  this  environment,  no  one  individual  has  total  control. 

Access  controls  permit  separation  of  the  input/output  function 
and  the  programming  function.   The  Input/Output  controller  can 
not  alter  data  or  write  or  change  programs.   He/she  must  have 
access  to  all  production  programs  and  data  files  in  order  to 
manage,  control,  and  log  the  flow  to  and  from  the  computer. 
Programmers  can  write  programs,  but  they  should  not  have 
access  to  the  data  or  the  production  programs.  The  problems 
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described  below  increase  the  potential  for  inappropriate  use  of 
the  department's  programs  and  data. 


Programmer's  Access  The  department  access  rules  give  programmers  access  rights  to 

Should  Be  Restricted  master  data  files  of  systems  they  support.  Systems  included  are 

payroll,  stores,  maintenance  management,  equipment  manage- 
ment, motor  pool,  federal  billing  voucher,  and  construction 
progress  estimate. 

Because  we  found  no  compensating  controls  and  to  ensure  pro- 
gram integrity,  programmers  should  not  have  access  to  these  data 
files.  At  a  minimum,  programmer  access  to  these  files  should  be 
logged  and  reviewed.   Because  programmers  have  unlimited  and 
unlogged  access  to  master  data  files,  the  potential  exists  for 
unauthorized  and  untraceable  manipulations  of  critical  informa- 
tion.  For  example,  under  the  existing  access  rules,  programmers 
can  enter  or  approve  claims  for  payment,  or  edit  or  delete  data 
from  the  master  files.  In  addition,  data  in  the  CARES  file, 
which  provides  input  to  all  major  department  applications,  could 
be  altered  and  therefore  corrupt  all  related  applications. 

Users  stated  programmers  need  access  to  facilitate  the  system 
support  function.   Programmers  can  support  their  assigned 
systems  without  these  access  rights.   For  example,  access  can  be 
temporarily  assigned  on  a  case-by-case  basis. 


Recommendation  #1 

We  recommend  the  department  remove  programmer  access 
rights  to  master  data  files  or  log  and  review  programmer 
access  to  these  files. 
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Programmers  as  Backup 
Input/Output  Controllers 


Department  personnel  employed  as  Input/Output  (I/O)  con- 
trollers submit  jobs/programs  to  process  and  update  data  for 
generating  reports.   In  order  to  perform  this  job  function, 
controllers  require  read  access  to  production  programs  and 
read/write  access  to  data  files.   In  our  review,  we  found  depart- 
ment programmers  also  had  unlimited  access  rights  in  order  to 
backup  the  I/O  function.  As  a  result,  programmers  can  and  do 
submit  jobs  when  I/O  controllers  are  not  available.   Programmer 
and  I/O  controller  functions  should  be  separate.  Combining  the 
rights  of  these  functions  diminishes  the  control  obtained  by 
having  separate  individuals  assigned  to  these  jobs.   Allowing 
programmers  unlimited  access  to  production  programs  and  data 
files  allows  them  access  to  the  entire  process  and  increases  the 
risk  of  undetected  material  errors  or  irregularities. 


The  security  officer  stated  a  group  containing  all  programmers 
was  created  and  given  I/O  access  rights  so  the  rights  could  be 
easily  deleted  as  a  group.  Programmers  have  had  these  rights  for 
over  two  years.  Department  personnel  said  unexpected  employee 
turnover  made  using  programmers  necessary  until  the  depart- 
ment completed  training  for  newly  hired  I/O  controllers. 
Adequate  cross  training  between  controllers  and  complete  job 
documentation  would  smooth  the  transition  and  eliminate  the 
need  to  use  programmers  as  backup  I/O  controllers.  The  depart- 
ment indicated  that  cross  training  and  job  documentation  are 
currently  in  process. 

An  alternative  to  giving  all  programmers  universal  I/O  access 
would  be  to  select  someone  from  the  user  support  group.   If 
necessary,  the  department  could  select  one  programmer  as  back- 
up and  monitor  his/her  access. 
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Recommendation  #2 

We  recommend  the  department: 

A.  Delete  the  universal  I/O  access  for  all  programmers. 

B.  Adequately  cross  train  Input/Output  controllers. 


Monitoring  Access  Mainframe  access  restrictions  placed  on  each  application  are 

Controls  agreed  upon  among  the  user,  programmer,  and  resource  man- 

ager. This  agreement  is  documented  and  given  to  the  depart- 
ment security  officer  to  write  the  access  rules.  Once  written, 
these  rules  are  not  reviewed  to  see  if  they  achieve  the  agreed 
upon  access  restrictions.   Our  review  identified  some  rules  that 
did  not  support  or  provide  the  agreed  upon  access.   A  periodic 
review  by  the  department  should  be  conducted. 

Once  rules  are  in  place,  the  computer  system  can  be  relied  upon 
to  execute  them  consistently.   In  addition,  it  can  identify  users 
who  violate  the  rules.  The  department  receives,  reviews,  and 
follows  up  on  reports  of  rule  violations  and  unauthorized  access 
attempts  for  its  state  mainframe  applications.   At  a  minimum  the 
department  should  use  the  same  process  for  its  sensitive  or 
critical  minicomputer  applications.   Currently,  the  department 
has  the  ability  to  generate  a  similar  access  report  for  its  mini- 
computer applications.   However,  access  assignments  for  infor- 
mation maintained  on  the  minicomputers  are  not  assigned  to 
unique  individuals.  Access  assignments  are  made  to  user  groups, 
making  it  impossible  to  track  individual  access.  This  weakness  is 
further  addressed  in  the  shared  logon  ID  section  on  page  1 1. 
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Recommendation  #3 

We  recommend  the  department: 

A.  Periodically  review  established  access  rules. 

B.  Generate,  review,  and  follow  up  on  access  violations 
for  sensitive  or  critical  applications  on  its  mini- 
computer systems. 


Process  for  Updating 
Access  Rules  Should  Be 
Improved 


In  the  mainframe  access  control  system,  access  rules  are  based  on 
individuals,  work  locations,  and  groups.  When  individuals  start 
work  at  the  department  they  are  assigned  to  a  group  with  the 
same  computer  access  needs.   Within  the  group  they  are  assigned 
to  a  work  location  with  a  logon  ID  and  password  unique  to  the 
individual.   For  example,  a  person  may  be  part  of  the  group  that 
inputs  on-line  claims  transactions  from  the  Equipment  Bureau 
location.  They  can  access  on-line  claims  but  they  can  only  input 
Equipment  Bureau  transactions.  Transactions  they  enter  are 
identified  by  their  logon  ID. 

When  an  employee  terminates  the  department,  the  security 
officer  removes  him/her  from  the  group  and  his/her  logon  ID  is 
suspended.   When  an  employee  changes  work  location  within  the 
department,  the  Personnel  Bureau  notifies  the  security  officer  of 
changes  in  location  or  employment  status.  The  security  officer 
then  records  the  change  on  the  system.  The  security  officer 
believed  this  method  worked  and  changes  made  to  an  employee's 
work  location  were  recorded  by  all  related  applications. 

However,  the  On-Line  Claims  application  incorporates  its  own 
security  access  mechanism.  Restrictions  for  logon  and  work 
access  location  rules  specific  to  the  On-Line  Claims  system  are 
controlled  by  the  On-Line  Claims  application.   An  employee's 
work  location  must  be  changed  within  that  system.   Access 
changes  to  On-Line  Claims  must  be  made  by  the  Accounting 
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Bureau.  The  Accounting  Bureau  was  not  aware  of  this  internal 
security  requirement.  As  a  result,  several  employees  who  had 
changed  jobs  within  the  department  could  still  process  activity  in 
their  former  work  area. 


Recommendation  #4 

We  recommend  the  department  security  officer  notify 
Accounting  Bureau  of  all  employee  work  location  changes 
which  effect  access  to  the  On-Line  Claims  system. 


Employees  Share  Logon  A  logon  ID  unique  to  a  specific  computer  user  and  protected  by 

IDs  and  Passwords  a  password  known  only  to  that  user  provides  a  good  means  of 

limiting  access  to  appropriate  users  and  helps  provide  account- 
ability for  work  done.   We  found  the  department's  use  of  this 
control  is  ineffective  for  two  reasons:    1)  the  department  assigns 
group  logon  IDs,  and  2)  employees  share  their  individual  user 
logon  IDs  with  fellow  employees. 

Group  logon  IDs  eliminate  system  logon  accountability.   Using 
group  logon  IDs  allows  unauthorized  and  untraceable  access  to 
data  and  programs  and  increases  the  effect  of  a  change  when  one 
member  of  the  group  leaves  or  transfers.   Each  employee  requir- 
ing computer  access  to  perform  his/her  job  duties  should  be 
assigned  a  unique  logon  ID. 

In  field  locations,  the  department  assigns  one  logon  ID  to  user 
groups  at  that  location.  Those  using  the  login  ID  must  agree  on  a 
single  password.   Diverse  groups  access  several  different  applica- 
tions maintained  on  the  state  mainframe.  Some  groups  need  to 
share  common  files  to  complete  projects.   Currently  the  groups 
using  Oracle  software  and  Computer  Assisted  Drawing  (CAD) 
software  are  assigned  one  logon  ID  per  project  to  facilitate 
sharing  files.  This  could  be  accomplished  by  using  unique  logon 
IDs  for  each  user  and  providing  appropriate  file  access. 
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We  also  found  instances  of  employees  working  together  sharing 
the  password  for  their  assigned  logon  ID.   The  employees 
involved  may  not  understand  the  impact  of  disclosing  their 
password.   As  discussed  above,  shared  IDs  and  passwords  also 
eliminate  accountability.  Employees  share  logon  IDs  and  pass- 
words so  they  can  help  each  other  with  their  daily  duties  as  well 
as  provide  backup  in  case  of  absences.  We  believe  this  could  be 
better  accomplished  by  establishing  appropriate  access  assign- 
ments to  each  employee  through  a  unique  logon  ID. 


Recommendation  #5 

We  recommend  the  department: 

A.  Discontinue  use  of  group  logon  IDs. 

B.  Assign  adequate  access  to  each  logon  ID  to  permit 
each  employee  to  do  his/her  job. 

C.  Emphasize  to  employees  the  importance  of  keeping 
passwords  secure. 


Input/Output  Controller 
Responsibilities 


Department  Input/Output  (I/O)  controllers  submit  production 
run  jobs.   At  the  request  of  the  system  user,  they  submit  the  job 
for  processing;  make  certain  all  the  data  files  are  available; 
resolve  problems  that  come  up  during  processing;  follow  up  on 
data  errors  detected  during  processing;  and  ensure  proper  distri- 
bution of  the  output. 


In  evaluating  the  I/O  controller  responsibilities  and  the  depart- 
ment's implementation  of  procedures,  we  found  the  I/O  manual 
is  incomplete,  I/O  controllers  lack  a  problem  resolution  guide, 
and  they  do  not  adequately  control  output.  These  issues  are 
discussed  below. 
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The  I/O  manual  does  not  identify  job  submission  parameters, 
job  abnormal  termination  resolutions,  and  job  distribution  pro- 
cedures. We  found  that  the  jobs  submitted  by  I/O  controllers 
were  not  fully  documented.  Each  controller  was  familiar  with  a 
set  of  jobs  and  only  submitted  those  jobs.   No  job  documentation 
existed  to  allow  another  I/O  controller  to  adequately  process  a 
job  request  in  case  of  employee  absence  or  turnover. 

We  noted  I/O  controllers  do  not  require  a  user  to  submit  a  Job 
Request  Form  to  run  a  job.  On  occasion,  if  the  user  forgets  to 
request  a  run  at  its  regular  day/time,  the  I/O  controller  may  run 
it  without  any  form  of  request.   Use  of  a  job  request  form  will 
provide  I/O  operators  better  understanding  of  each  job,  provide 
efficient  distribution  of  output,  and  ensure  continued  operations. 
The  job  request  form  should  specify  which  job  to  run,  which 
data  to  process  it  against,  and  how  to  distribute  the  output.  The 
chance  of  error  increases  if  specific  elements  of  how  to  process 
the  run  are  not  documented  in  the  I/O  manual. 

The  department  should  also  develop  a  problem  resolution  guide 
as  part  of  the  I/O  controllers  manual.  This  guide  would 
facilitate  consistent,  approved  solutions  to  computer  operational 
and/or  recovery  problems  and  contain  instructions  for  setup, 
restart  and  recovery. 

We  found  computer  printouts  are  not  controlled  by  the  I/O  con- 
trollers.  Printouts,  except  for  output  for  the  Accounting  Bureau, 
are  placed  on  the  data  processing  counter  for  pickup.  Because 
Accounting  Bureau  printouts  may  contain  confidential  material, 
they  are  placed  on  a  desk  where  only  accounting  personnel  are 
allowed  to  pick  them  up.   We  found  in  our  testing  that  the  out- 
put security  was  not  adequate.  This  could  result  in  misplaced  or 
improperly  distributed  reports,  and  the  potential  release  of 
confidential  information  to  unauthorized  individuals.   As  an 
alternative  to  placing  the  output  where  it  is  available  to  all,  the 
I/O  controller  should  provide  it  to  authorized  personnel  only  or 
the  department  should  establish  a  mailbox  system. 
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Recommendation  #6 

We  recommend  the  department: 

A.  Update  the  I/O  controller  manual  to  document  a 
problem  resolution  guide,  procedures  for  distributing 
computer  output,  and  a  requirement  for  a  complete 
job  request  for  each  job  run. 

B.  Establish  procedures  for  appropriate  distribution  of 
computer  output. 


System  Maintenance 
Should  Be  Controlled 


Programmers  develop  new  systems  based  on  approved  written 
requests  from  the  user.  When  the  programmer  completes  the 
system,  it  is  documented,  reviewed  and  approved.  Subsequent 
system  enhancements  follow  the  same  procedures.   However,  the 
department  does  not  require  the  same  process  for  maintenance 
changes. 

For  the  most  part,  maintenance  changes  do  not  alter  the  func- 
tionality of  the  application.  The  change  usually  reflects  the 
correction  of  a  mistake  in  the  initial  coding.   Although  the 
department  does  require  programmers  to  document  and  report 
maintenance  changes  monthly,  the  department's  procedures 
decrease  the  effectiveness  of  its  system  development  procedures. 
No  procedure  exists  to  ensure  all  maintenance  changes  are 
appropriate,  authorized,  documented,  and  reported  to  manage- 
ment. 

Maintenance  changes  should  be  subject  to  the  same  request 
approval,  documentation,  review  and  approval  corresponding  to 
system  enhancements.  This  will  provide  consistency  in  evaluat- 
ing job  development  adequacy. 
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Recommendation  #7 

We  recommend  the  department  establish  procedures  to 
authorize  and  review  system  maintenance  changes. 


Contingency  Planning  Contingency  planning  is  a  basic  element  of  safeguarding  com- 

puter systems  and  information  resources.  Contingency  planning 
involves  collecting  plans,  procedures,  arrangements,  and  infor- 
mation which  are  completed,  compiled,  and  held  in  readiness  for 
use  in  the  event  of  a  disruption  of  normal  activities.   A  con- 
tingency plan  should  be  comprehensive  and  periodically  tested  to 
facilitate  an  adequate  recovery  process.  The  contingency  plan 
should  include  consideration  of  physical  facilities,  personnel, 
operating  instructions,  supplies  and  forms,  application  programs, 
including  documentation,  and  system  software  and  data.   It 
should  start  with  an  inventory  of  equipment  and  programs  and 
be  regularly  updated  to  reflect  changes  in  computer  equipment 
and  programs. 

We  reviewed  the  department's  contingency/disaster  plan  which 
was  completed  on  June  1,  1990.  Our  review  indicated  the 
department  would  benefit  by  updating  the  plan.   We  reviewed 
the  plan  to  determine  if  it  contained  the  minimum  contingency 
guidelines  as  stated  in  section  1-0240.00,  MOM.   We  noted  the 
department's  plan  could  be  improved  by: 

1.  Providing  a  detailed  definition  of  the  responsibility  for 
each  organizational  unit. 

2.  Identifying  recovery  staff  in  the  service  unit  and  in  user 
divisions. 

3.  Providing  for  training  of  staff  in  the  service  unit  and  the 
end  users. 

4.  Identifying  potential  disasters  or  their  impact. 
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5.  Including  impact  of  needs  for  data  security,  communica- 
tion services,  power  sources,  etc. 

6.  Including  a  checklist  of  supplies  and  other  requirements. 

7.  Having  an  established  procedure  for  updating  the  plan. 

The  department  uses  computers  in  every  facet  of  its  operations. 
Loss  of  computer  use  would  significantly  impact  department 
operations.  The  department  has  discussed  many  of  the  options 
and  solutions  for  recovering  from  a  disaster  or  other  disruption 
of  normal  activities.  These  discussions  have  not  been  docu- 
mented.  A  written,  detailed  plan  outlining  recovery  procedures 
should  exist  and  be  tested  to  ensure  feasibility  of  the  plan. 
Maintaining  an  adequate  contingency  plan  will  ensure  continued 
data  processing  operations  and  the  department  will  be  in  compli- 
ance with  section  1-0240.00,  MOM. 


Recommendation  #8 

We  recommend  the  department: 

A.  Comply  with  the  contingency  guidelines  for  agencies 
specified  in  section  1-0240.00,  MOM. 

B.  Periodically  test  the  contingency  plan. 
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Introduction  The  department  uses  the  Cost  Accounting  and  Record  Entry 

System  (CARES)  to  edit,  record,  and  store  department  trans- 
actions. The  CARES  file  does  not  process  data. 

Department  personnel  from  headquarters  and  district  offices 
input  information  into  six  subsystems.  These  systems  provide 
input  to  the  CARES  file.   Each  subsystem  verifies  the  informa- 
tion through  input  and/or  processing  edits.   Department  per- 
sonnel can  correct  subsystem  data  before  the  data  is  recorded  in 
CARES.   The  six  input  systems  are  as  follows. 

1.  On-line  Claims 

2.  Payroll  Subsystem 

3.  Stores  System 

4.  Maintenance  Management  System 

5.  Equipment  Management  System 

6.  Motor  Pool  Management  System 

CARES  simply  provides  a  common  master  file  for  the  above 
systems  to  utilize  for  exchanging  data.   Data  from  CARES  is 
used  by  the  various  systems  to  update  other  files  and  to  generate 
reports.  The  department  designed  the  CARES  file  to  accept  the 
department's  accounting  data;  edit  new  data;  and  report  errors 
found. 

We  performed  an  application  review  of  the  On-line  Claims 
System.  Overall,  we  concluded  the  controls  within  the  On-line 
Claims  System  are  adequate  to  ensure  data  integrity.  To  deter- 
mine the  integrity  of  CARES  data  originating  from  the  other 
subsystems,  we  reviewed  the  input  and  output  controls  for  the 
remaining  five  input  systems.  This  chapter  summarizes  our 
review  of  the  On-line  Claims  System  and  the  remaining  CARES 
subsystems. 
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On-Line  Claims  System  The  department  implemented  the  Highway  On-line  Claims 

System  (HOC)  to  provide  a  data  entry  function  which  allows 
multiple  users  to  input  transfer  warrant  claim  information.  The 
department  designed  the  system  to  approve  and  edit  input,  pro- 
vide vendor  information,  and  provide  user  security.  The  system 
creates  Statewide  Budgeting  and  Accounting  System  (SBAS) 
records  which  are  remote  job  entered  (RJE)  over  communication 
lines  for  transfer  to  the  Department  of  Administration.  These 
revenue  and  expenditure  records  are  then  used  to  update  SBAS 
and  the  Warrant  Writing  System.  The  On-line  Claims  System  is 
comparable  to  the  input  system  established  by  the  Department  of 
Administration  for  SBAS  On-line  Edit  and  Entry  (OE&E). 

We  reviewed  application  controls  related  to  HOC.  An  applica- 
tion review  includes  an  examination  of  input,  processing,  and 
output  controls  as  explained  in  Chapter  I.  Overall,  we  deter- 
mined HOC  system  objectives  are  being  met  and  controls  are 
adequate.   We  did,  however,  identify  a  system  weakness  which  if 
corrected  would  improve  system  controls. 


No  Check  for  Duplicate  HOC  contains  system  edit  tests  which  generate  error  or  warning 

Payments  messages.   All  errors  must  be  corrected  before  claim  transactions 

process.   While  testing  system  edits,  we  noted  an  edit  did  not 
exist  which  would  identify  potential  duplicate  vendor  payments. 
EDP  guidelines  suggest  computer  programs  should  check  for 
duplicate  entries.   Internal  control  procedures  should  be  estab- 
lished which  prevent  duplicate  payments. 

Accounting  personnel  stated  an  automated  invoice  file  is  main- 
tained for  use  by  field  offices  to  identify  possible  duplicate 
vendor  payments.  In  our  review,  we  noted  field  offices  estab- 
lished manual  controls  to  detect  duplicate  payments  contrary  to 
Accounting  Bureau  policy.   In  addition,  these  manual  procedures 
varied  between  employees  and  field  offices.  The  primary  con- 
trol identified  in  field  offices  is  a  manually  prepared  vendor 
payment  log.   Employees  use  this  log  to  determine  if  specific 
invoices  were  paid.   While  this  log  compensates  for  the  lack  of 
system  edits,  human  error  may  make  the  manual  log  less 
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effective.  For  example,  while  visiting  one  district,  a  vendor 
reported  receiving  two  payments  on  one  invoice.   District  per- 
sonnel stated  the  log  was  not  updated  in  a  timely  manner  and  the 
invoice  was  paid  twice.  A  duplicate  payment  edit  could  prevent 
or  detect  such  duplicate  payments. 


Department  management  stated  a  warning  (prevention)  edit  was 
discussed  during  system  development.   Management  indicated 
implementing  a  warning  edit  was  considered  too  costly  to 
develop  and  use.  However,  we  believe  a  monthly  detection  pro- 
gram could  be  developed  which  would  scan  vendor  payments 
and  identify  potential  duplications.   An  automated  procedure 
would  be  a  more  efficient  way  to  identify  duplicate  payments. 
The  department  would  not  rely  on  vendors  to  notify  it  if  a 
duplicate  payment  was  received. 


Recommendation  #9 

We  recommend  the  department: 

A.  Ensure  field  offices  follow  Accounting  Bureau  policy 
regarding  the  automated  invoice  file. 

B.  Evaluate  an  automated  prevention  or  detection 
process  which  identifies  potential  duplicate  pay- 
ments. 


Payroll  Subsystem  The  Payroll  Subsystem  controls  payroll  processing  and  personnel 

record  keeping  for  the  department.   Employees  submit  time- 
sheets  either  weekly  or  bi-weekly.  All  timesheets  must  be  signed 
by  the  employee  and  approved  by  the  employee's  supervisor. 
Upon  receipt  of  the  timesheets,  payroll  clerks  at  headquarters 
and  in  district  offices  input  timesheet  information  onto  the 
system. 
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Input  and  Output  Controls  The  payroll  system  contains  approximately  50  system  edits.   All 

are  Adequate  transactions  input  are  subject  to  these  edits.  The  department 

designed  these  edits  to  detect  input  errors  before  payroll  pro- 
cessing. 

Once  district  office  personnel  enter  timesheets,  district  payroll 
clerks  generate  a  Labor  Distribution  Report.  This  report  sum- 
marizes all  payroll  transactions  by  employee.   District  payroll 
clerks  use  this  report  to  compare  or  reconcile  the  data  entered  to 
employee  timesheets.   District  payroll  clerks  can  still  make  cor- 
rections, if  necessary,  before  the  data  is  transmitted  to  the 
headquarters  operations  section. 

Before  payroll  transmission,  district  personnel  call  Accounting 
Bureau  and  report  payroll  dollar  totals.   Accounting  Bureau 
personnel  compare  dollar  totals  transmitted  from  district  offices 
to  amounts  reported.  If  differences  exist,  Accounting  Bureau 
personnel  research  the  problem  and  make  necessary  corrections. 
In  addition,  as  operations  personnel  receive  payroll  transmissions 
for  the  districts,  they  verify  records  received  to  records  trans- 
mitted. These  procedures  ensure  all  payroll  records  were 
received  and  accurate  before  the  final  payroll  is  sent  to  the  State 
Auditor's  Office. 

We  found  output  controls  existed  which  ensure  the  payroll  pro- 
cessed by  the  State  Auditor's  Office  was  compared  to  district  and 
headquarter  records.  Overall,  controls  related  to  the  Payroll 
Subsystem  are  adequate  to  ensure  the  integrity  of  CARES  data. 


Access  to  Payroll  and  In  our  review  of  access  assignments,  we  found  all  department 

Personnel  Records  Not  employees  with  user  logon  IDs  have  read  access  to  the  Payroll 

Limited  Subsystem.  The  Payroll  Subsystem  maintains  personnel  records 

containing  data  regarding  each  employee's  employment  history, 
salary,  and  evaluations.  All  department  employees  with  user 
logon  IDs  have  access  to  confidential  and  sensitive  data.  Section 
2.21.6606  of  the  Montana  Operations  Manual  states: 


Page  20 


Chapter  III 
Cost  Accounting  and  Record  Entry  System 


"It  is  the  policy  of  the  State  of  Montana  to  .  .  .  (c)  inform 
employees  about  what  personnel  data  is  collected,  why  it  is 
collected  and  who  will  have  access  to  the  information;  (d) 
provide  security  systems  which  limit  access  to  data  and  to 
operate  under  principles  of  confidentiality  which  govern 
who  should  have  access  to  personnel  data  and  when  they 
should  have  access  .  .  ." 

Department  personnel  explained  a  new  access  method  was  imple- 
mented which  prevents  any  user  from  reading  personnel  data. 
However,  the  old  access  method  was  not  removed  and  users  can 
still  access  personnel  data. 


Recommendation  #10 

We  recommend  the  department  limit  access  to  department 
personnel  records  to  those  authorized. 


Stores  System  The  department  created  the  Stores  System  to  supply  data  to 

CARES  for  inventory  billing  purposes  (usage)  and  to  maintain  an 
automated  perpetual  inventory  system.  The  department's  inven- 
tory includes:  equipment  parts,  road  signs,  gravel,  etc.   Depart- 
ment personnel  from  headquarters  and  the  districts  record  inven- 
tory additions  (purchases)  and  deductions  (usage)  on  this  system. 

In  our  review  of  Stores  input  controls,  we  found  the  following 
controls  in  place.  Personnel  responsible  for  Stores  input  ensure 
inventory  requisitions  are  approved  by  appropriate  personnel.   In 
addition,  the  personnel  entering  Stores  data  did  not  requisition  or 
approve  inventory  usage. 
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Control  Weaknesses 
Identified 


Input  Controls 


We  identified  control  weaknesses  in  the  General  Controls  chapter 
which  affect  overall  input  controls  within  Stores  (see  page  1 1 ). 
District  personnel  using  the  Stores  System  share  logon  IDs  and 
passwords.  In  addition,  Accounting  Bureau  and  Purchasing 
Bureau  have  no  control  over  who  enters  Stores  data.   Head- 
quarters personnel  do  not  know  who  or  how  many  enterers  there 
are  at  each  district.  Logon  IDs  should  be  assigned  to  a  specific 
individual  based  on  daily  job  duties.   Access  is  controlled  and 
monitored  via  the  logon  IDs.  Therefore,  the  ID  should  not  be 
shared  to  ensure  all  access  is  accountable  to  a  specific  individual. 


We  also  noted  district  personnel,  other  than  the  stock  person, 
entering  Stores  data  had  not  received  formal  input  training. 
Proper  user  training  should  be  given  to  all  users  involved  with 
collecting  and  entering  data.  This  will  ensure  consistency  and 
allow  for  proper  correction  of  errors. 


Output  Controls 


Headquarters  implemented  a  claims/match  process  which  com- 
pares all  inventory  purchases  (claims  from  the  On-line  Claim 
System)  to  inventory  additions.  The  claims/match  is  designed  to 
ensure  all  inventory  purchases  are  properly  recorded  on  the 
inventory  system.  The  claims/match  process  creates  a  file  of 
claims  which  should  match  an  inventory  addition.  The  process 
generates  reports  identifying  unmatched  transactions.   Account- 
ing Bureau  personnel  investigate  and  resolve  discrepancies. 


Accounting  Bureau  personnel  notify  district  offices  of  the  dis- 
crepancies. District  personnel  submit  Stores  adjustment  forms 
when  responding  to  Accounting  Bureau  inquiries.   Accounting 
Bureau  personnel  make  the  necessary  adjustments  to  the 
claims/match  file.  However,  there  is  no  assurance  that  the 
corresponding  adjustment  was  made  to  the  Stores  System.   As  a 
result,  necessary  Stores  corrections  may  not  have  been  made  and 
inventory  records  within  the  Stores  System  may  be  inaccurate. 
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District  personnel  do  not  reconcile,  review,  or  compare  pro- 
cessed transactions  to  input  totals  or  source  documentation. 
Headquarters  personnel  indicated  they  do  not  review  Stores 
inventory  distributions.  Headquarters  personnel  rely  on  district 
personnel  to  monitor  inventory  usage. 

Output  controls  ensure  the  accuracy,  completeness,  and  security 
of  data  after  processing.  The  department  should  ensure  estab- 
lished procedures  which  require  output  to  be  reconciled  with 
input  to  ensure  system  integrity  are  implemented  by  district 
personnel. 


Summary 


We  determined  input  and  output  controls  related  to  the  Stores 
System  are  not  adequate.  We  noted  Stores  personnel  entering 
data  were  not  adequately  trained  and  logon  IDs  were  shared.   In 
addition,  procedures  to  ensure  inventory  purchases  and  usage  are 
properly  accounted  for  were  not  consistently  applied  at  the  dis- 
tricts. These  weaknesses  reduce  the  integrity  of  the  Stores  data 
maintained  on  the  CARES  file. 


Recommendation  #11 

We  recommend  the  department  implement  documented 
procedures  which  ensure  the  Stores  System  properly 
accounts  for  inventory  purchases  and  updates  usage  data. 


Users  Manual  Not  Current 


Agency  personnel  indicated  the  Stores  System  users  manual  does 
not  reflect  current  operating  procedures.   In  addition,  district 
personnel  indicated  they  did  not  have  documented  updates  to  the 
manual.  They  stated  procedures  have  changed  within  13  years 
but  the  manual  has  not  been  updated.  Stores  management  indi- 
cated they  plan  to  rewrite  the  manual  after  the  Series  1  com- 
puters are  replaced.  The  Series  1  is  planned  for  replacement  by 
the  end  of  fiscal  year  1993. 
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System  standards  suggest  user  involvement  and  procedures  be 
adequately  documented  for  each  application.   Using  outdated 
manuals  and  procedures  increases  the  risk  of  inventory  misstate- 
ment. 


Recommendation  #12 

We  recommend  the  department  ensure  Stores  user  manuals 
are  current  and  timely  updated. 


Maintenance  Manage-  The  department  implemented  the  Maintenance  Management 

ment  System  System  (MMS)  to  provide  performance  budgets  and  management 

information  regarding  statewide  highway  maintenance  projects. 
The  department  does  not  determine  the  maintenance  budget 
from  MMS  but  uses  the  system  to  allocate  division  funding  once 
a  total  budget  is  established.   In  our  review  we  found  problems 
regarding  MMS  input  controls. 


Input  Control  Weakness  District  personnel  input  MMS  data  through  the  Series  1  com- 

puters. As  noted  in  General  Controls,  all  users  within  a  district 
share  a  logon  ID  and  password.  Shared  IDs  and  passwords  limit 
data  input  controls  and  increase  the  possibility  of  processing  an 
unauthorized  transaction. 

Field  employees  record  work  performed  on  an  activity  report. 
This  report  identifies  equipment  and  materials  used,  as  well  as, 
labor  hours.  The  report  has  a  place  for  the  preparer  and 
reviewer  to  sign.  However,  the  MMS  field  manual  does  not 
specifically  require  signatures.   EDP  audit  standards  state  only 
properly  authorized  and  approved  input  should  be  accepted  for 
processing.  We  found  source  documentation  which  was  not 
signed  by  the  reviewing  supervisor.   As  a  result,  the  review  was 
not  documented  and  data  input  to  MMS  may  not  be  valid.   In 
addition,  MMS  enterers  stated  the  reviewers  do  not  actually 

Page  24 


Chapter  III 
Cost  Accounting  and  Record  Entry  System 


review  the  information  for  accuracy.   Enterers  stated  they  must 
make  corrections  to  the  information  on  the  activity  reports 
which  indicates  that  an  adequate  supervisory  review  was  not 
performed. 

Based  upon  the  weaknesses  identified  above  and  the  other  gen- 
eral control  weaknesses  noted,  we  determined  the  input  controls 
are  not  adequate  to  ensure  the  integrity  of  MMS  stockpile  usage 
and  production  data  maintained  on  the  CARES  file. 


Recommendation  #13 

We  recommend  the  department  establish  and  document  a 
supervisory  review  of  MMS  activity  reports. 


Equipment  Management  The  Equipment  Bureau  maintains  the  Equipment  Management 

System  System  (EMS).   EMS  aids  in  the  management  of  the  department's 

fleet  and  equipment  shops.  The  fleet  is  comprised  of  motor  pool 
vehicles,  snow  plow,  graders,  etc.  The  equipment  shops  provide 
parts  and  service  to  maintain  the  fleet.  The  goal  of  EMS  is  to 
assist  the  bureau  in  providing  replacement  equipment  and  main- 
tain and  repair  existing  equipment  in  a  cost  effective  manner. 
The  department  developed  the  system  with  the  following  objec- 
tives: 

Preserve  the  investment  in  the  fleet  through  timely  servic- 
ing and  preventive  maintenance  and  repairs; 

Maintain  equipment  rental  rates  and  financial  information; 

Identify  fleet  repairs  and  causes  so  as  to  reduce  downtime; 

Maintain  an  equipment  replacement  component  that  iden- 
tifies equipment  that  has  reached  economic  life; 

Ensure  efficient  and  economical  use  of  the  fleet  and  man- 
power; and 
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Purchase  vehicles  and  equipment  that  are  multifunctional 
and  that  will  support  maintenance,  engineering,  construc- 
tion, and  other  user  requirements. 

The  department  designed  EMS  to  provide  necessary  information 
concerning  shop  operations,  utilization  and  costs,  and  provide 
procedures  for  budgeting.  EMS  uses  accounting  information 
supplied  initially  from  field  reporting,  as  well  as  payroll  and 
stores  data  from  the  CARES  file. 

The  Equipment  Usage  Report  supplies  usage  data  by  account 
code  and  preventive  maintenance  information.   Data  input  from 
the  Equipment  Usage  Report  is  stored  on  the  CARES  file. 

EMS  depends  heavily  on  computer  processed  data.   Data  is  input 
from  headquarter  and  district  offices.   Data  is  edited  before 
submission  for  processing  in  Helena. 

Equipment  Bureau  personnel  are  responsible  for  editing  data  and 
maintaining  the  equipment  system  files.  The  bureau  also  gen- 
erates and  distributes  reports  and  corrects  field  errors.    Based  on 
our  testing  of  the  application,  we  identified  control  issues 
regarding  inadequate  application  documentation  and  improper 
correction  procedures  which  will  be  reported  in  the  performance 
audit,  Department  of  Transportation  Equipment  Operations 
report  number  91P-28.  In  addition,  as  noted  in  General  Controls 
Chapter  II,  all  users  within  a  district  share  a  logon  ID  and  pass- 
word. Shared  IDs  and  passwords  reduce  data  input  controls  and 
increase  the  possibility  of  processing  an  unauthorized  trans- 
action.  Additional  concerns  regarding  the  billing  portion  of  the 
EMS  will  be  included  in  the  financial-compliance  audit,  Depart- 
ment of  Transportation  report  number  91-11. 

Based  upon  the  input  control  weakness  identified,  we  deter- 
mined input  controls  are  not  adequate  to  ensure  the  integrity  of 
EMS  data.  The  EMS  is  vital  to  the  Equipment  Bureau  for  main- 
taining an  adequate  equipment  fleet  for  various  state  needs;  for 
example,  highway  snow  removal,  construction,  engineering,  etc. 
EMS  data  is  also  utilized  by  MMS  via  the  CARES  file.   By 
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strengthening  EMS  input  controls,  the  department  will  improve 
the  integrity  of  EMS  data  contained  in  the  CARES  master  file. 


Motor  Pool  Manage- 
ment System 


The  department  implemented  the  Motor  Pool  Management 
System  (MPMS)  to  help  manage  the  Motor  Pool  fleet.  Motor 
Pool  maintains  a  fleet  of  vehicles  for  use  by  state  personnel.  The 
MPMS  tracks  cost,  income,  repairs,  and  rental  rate  development. 
The  department  bills  other  agencies  for  vehicle  usage  based  upon 
MPMS  data. 


The  system  controls  input  through  vehicle  odometer  readings. 
All  agency  billings  are  tied  to  the  number  of  miles  driven. 
Motor  Pool  personnel  review  trip  tickets  for  accuracy  and  sign 
the  tickets  indicating  a  review  was  performed.   We  reviewed  trip 
tickets  and  found  they  were  adequately  approved. 

Data  entry  controls  the  input  of  trip  tickets  by  key  verification 
procedures.  Through  key  verification,  data  entry  personnel 
other  than  the  original  enterer,  check  the  data  for  input 
accuracy. 

The  department  assigns  numbers  to  all  vehicles.   In  addition, 
they  assign  a  status  code  to  the  vehicle  which  permits  or 
prohibits  usage  or  maintenance  charges.   For  example,  the  depart- 
ment assigns  a  specific  status  number  to  vehicles  which  are  ready 
for  auction  and  disposal.  CARES  edits  prevent  charges  to 
vehicles  in  disposal  status. 

Based  on  our  review,  we  found  input  and  output  controls  ade- 
quate to  ensure  the  integrity  of  MPMS  data  maintained  on 
CARES. 


CARES  File  Integrity 


Finally,  we  tested  CARES  edits  which  identify  data  errors  when 
the  subsystems  transfer  data  to  the  file.  We  determined  the  edits 
function  as  described.  However,  the  edits  do  not  compensate  for 
control  weaknesses  identified  in  EMS,  MMS,  and  Stores. 
CARES  edits  would  not  detect  the  type  of  data  errors  we  believe 
could  exist  in  these  systems. 
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Based  upon  the  findings  presented  within  this  chapter,  we  deter- 
mined the  integrity  of  the  data  stored  on  the  CARES  file  which 
originated  from  EMS,  MMS,  or  Stores  is  questionable.  The  data 
stored  on  the  CARES  file  from  the  EMS,  MMS,  and  Stores 
System  relates  to: 


EMS  -  labor,  insurance,  tires,  fuel,  parts,  assigned  equip- 
ment and  usage  costs. 

MMS  -  equipment  and  material  used. 

Stores  -  construction  and  maintenance  materials,  supplies 
used,  and  fuel. 

We  determined  the  input  controls  for  Payroll,  On-line  Claims, 
and  MPMS  are  adequate  to  ensure  the  integrity  of  respective 
data  stored  on  the  CARES  file.  Since  all  of  the  systems  feed 
data  into  or  receive  data  from  CARES,  if  unreliable  data  enters 
one  system  it  will  affect  another  and  another,  causing  the  entire 
system  to  lose  data  integrity. 
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Introduction  The  Engineering  Division  supervises  the  construction  or  recon- 

struction of  roads  and  bridges  to  appropriate  design  standards 
from  project  award  through  completion  and  approval  of  the 
project.  Field  project  managers  supervise  individual  highway 
construction  projects.  The  field  project  manager  also  prepares 
periodic  progress  estimates,  which  generate  interim  payments  to 
contractors.  On  the  average,  these  monthly  interim  contractor 
payments  exceed  $250,000.  Some  monthly  payments  to  contrac- 
tors exceed  $1  million.  Over  $135  million  of  contractor  pay- 
ments passed  through  the  Progress  Estimate  System  in  fiscal  year 
1989-90. 

The  Progress  Estimate  System  collects  project  progress  data  from 
project  engineers  in  the  field.  This  data  includes  field  observa- 
tions, quantities  delivered,  and  payment  due  to  contractors.  This 
system  provides  various  reports  regarding  project  status, 
reported  quantities  and  calculated  payments  for  district  review, 
Construction  Bureau  (bureau)  review  and  contractor  payments. 
Data  maintained  on  the  system  is  also  compared  to  data  from 
signed  contracts. 

Field  project  managers  submit  these  progress  estimates  via  the 
Progress  Estimate  System  through  their  respective  district  office 
to  the  Construction  Bureau  in  Helena.  The  district  and  the 
Helena  bureau  review  the  progress  estimate  for  reasonableness, 
but  they  approve  the  interim  payments  based  on  their  reliance  on 
the  field  project  manager  who  retains  the  detailed  field  notes 
and  other  support  in  the  field  office  until  the  end  of  the  project. 

We  reviewed  the  Progress  Estimate  System  to  determine  the  ade- 
quacy of  the  controls  present  in  the  system.  In  our  review  of  the 
system  we  found  weaknesses  in  the  controls.  We  concluded  con- 
trols over  the  Progress  Estimate  System  are  inadequate.  The 
following  sections  discuss  our  evaluation  of  the  department's  use 
of  the  Progress  Estimate  System  for  interim  and  final  contractor 
payments. 
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Interim  Contractor 
Payments 


The  field  project  manager  submits  project  estimate  information 
to  the  district  and  Construction  Bureau  (bureau)  through  a  series 
of  verbal,  manual,  and/or  electronic  processes.  The  Progress 
Estimate  System  contains  many  procedures  designed  to  ensure 
the  integrity  of  the  data  but  the  system  as  used  by  the  depart- 
ment is  not  complete. 

We  found  interim  contractor  payment  procedures  do  not  control 
the  following  aspects  of  a  complete  system.  1 )  Transfers  of  data 
from  the  field  project  manager  to  district  to  headquarters  are  not 
controlled.  The  integrity  of  the  data  is  not  checked  between 
microcomputer  to  microcomputer  and  microcomputer  to  main- 
frame. 2)  The  field  project  manager  is  responsible  for  the 
progress  estimate  but  the  reviewers  at  the  district  and  head- 
quarters can  and  do  change  the  estimates  of  materials  used. 
These  changes  are  made  based  on  telephone  calls  and  documen- 
tation of  the  changes  is  not  maintained.   3)  District  and  head- 
quarters approval  is  not  documented.  4)  Monthly  reports  are  not 
controlled  in  either  the  hard  copy  or  electronic  format  as  they 
are  returned  to  the  district  and  the  field  project  manager. 

In  the  prior  audits  we  identified  the  field  project  manager's 
preparation  and  approval  of  each  project  estimate  as  one  of  the 
key  controls  relating  to  expenditures.  Our  prior  testing  disclosed 
that  the  field  project  manager  did  not  sign  the  project  estimate 
as  evidence  of  the  control.  Current  inquiries  indicate  this 
control  is  not  working  as  designed.  Since  the  field  project  man- 
ager is  on  site  at  the  project  and  prepares  the  original  estimate, 
the  field  project  manager  is  the  individual  with  the  best  oppor- 
tunity to  compare  input  to  output  and  detect  errors  in  a  timely 
manner. 
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The  field  project  manager  has  the  responsibility  for  the  project 
without  the  authority  to  control  it.  We  believe  the  following  is 
one  approach  which  would  increase  controls  in  the  Progress  Esti- 
mate System  and  improve  the  integrity  of  system  data.   First, 
restrict  the  ability  to  change  data  maintained  on  the  Progress 
Estimate  System  to  the  field  project  manager.  This  could  be 
done  by  restricting  the  district  and  bureau  access  to  the  file  (i.e., 
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make  it  "read  only").  The  field  project  manager  transferring  the 
interim  progress  estimate  to  the  mainframe  would  facilitate  this 
control.  Second,  allow  only  the  field  project  manager  to  make 
changes  and  corrections  suggested  by  the  district  and  the  bureau. 
Third,  to  ensure  authorized  payments  are  made,  require  approval 
by  the  district  and  the  bureau  to  be  documented  either  on  the 
report  or  electronically.  Finally,  the  district  and  the  bureau 
should  request  reports  directly  from  the  Progress  Estimate 
System  to  ensure  they  obtain  the  most  current  information. 


We  believe  if  the  department  implemented  the  following  recom- 
mendations, the  field  project  manager  would  have  the  authority 
to  control  the  project  he  is  responsible  for.   In  addition,  account- 
ability for  each  progress  estimate  would  be  fixed  at  the  various 
steps  (i.e.,  field  project  manager,  district,  and  bureau)  in  the 
Progress  Estimate  System. 


Recommendation  #14 

We  recommend  the  department: 

A.  Restructure  the  progress  estimate  interim  payment 
system  to  provide  control  over  the  data  between  the 
field  project  manager  and  the  contractor  payment. 

B.  Document  district  and  Construction  Bureau  review  of 
the  progress  estimates. 


Final  Contractor  Pay-  At  the  completion  of  each  construction  project,  the  department 

ment  performs  a  complete  review.  The  bureau  describes  the  final 

review  process  as  follows. 

The  field  project  manager  maintains  a  diary  and  field  notes  of 
progress,  materials,  labor,  and  other  costs  incurred  in  relation  to 
the  project.  At  project  completion,  the  field  project  manager 
completes  and  sends  to  the  district  office  all  of  the  field  notes 
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and  diaries.   The  district  office  reviews  the  documents  and  if 
any  changes  are  necessary,  the  field  project  manager  makes  those 
changes.  Once  the  district  approves  the  adequacy  of  the  docu- 
ments, the  district  sends  them  to  the  bureau  for  an  in-depth 
review. 

The  bureau  reviewer  ensures  the  diaries  and  field  notes  support 
the  amounts  and  calculations  made  during  the  project.  Using  the 
supporting  documents,  the  reviewer  tests  the  accuracy  of  the 
calculations  on  the  progress  estimates  and  the  final  contractor 
payment.  This  final  review  process  ensures  the  diaries  and  field 
notes  support  the  final  contractor  payment.   The  bureau  chief 
approves  the  final  amount  for  payment  based  on  the  work  of  the 
reviewer. 

We  selected  three  projects  with  final  payments  made  between 
July  1,  1990  to  March  14,  1991  for  review.  As  discussed  in  the 
following  paragraphs,  four  of  eight  items,  in  two  of  the  three 
projects,  were  not  adequately  supported  by  the  field  notes  and 
diaries.   Also,  the  reviewers  did  not  document  their  procedures 
so  it  was  not  possible  for  us  to  determine  what  test  recalculations 
and  tracing  to  source  documents  they  completed. 

We  selected  white  paint  as  an  item  for  review  on  one  project.  In 
the  field  notes,  the  white  paint  and  the  yellow  paint  were  not 
distinguishable.  When  we  asked  the  reviewer,  he  could  not  deter- 
mine how  the  field  project  manager  determined  the  number  of 
gallons  of  white  paint  used  and  charged  in  a  particular  time 
period. 

For  two  items,  the  diaries  and  field  notes  did  not  support  the 
payment  amount.  At  our  request,  the  field  project  manager  sent 
us  the  information  he  used  to  arrive  at  the  amounts  on  the 
progress  estimate.  The  additional  documentation  adequately 
supported  the  amounts  but  the  bureau  reviewer  did  not  have 
adequate  information  to  verify  the  amounts  for  final  payment. 
One  of  the  amounts  involved  support  for  an  item  with  a  total 
value  of  $2  million. 
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Field  note  support  for  "Excavation-Unclass"  amounts  could  not 
be  explained  by  the  reviewer.  The  "comp  sheets,"  which  support 
this  item  in  total  for  the  project,  were  not  in  the  field  notes  or 
diaries.   Upon  request,  the  field  project  manager  submitted  the 
comp  sheets  which  supported  the  final  amount. 

Based  on  our  review,  the  procedures  the  bureau  uses  do  not  work 
as  described  and  do  not  adequately  prevent  errors  from  occur- 
ring. 

The  bureau  reviewers  do  not  use  written  procedures  or  checklists 
to  ensure  that  all  of  the  reviewers  follow  the  same  guidelines. 
According  to  the  contractor  estimate  section  supervisor,  the 
reviewers  have  the  knowledge,  experience,  memos,  and  manuals 
to  use  as  a  reference  for  the  reviews.   Based  on  the  problems 
noted  above,  the  bureau  needs  a  document  that  outlines  a  process 
for  the  reviewers  to  follow.  A  checklist  or  questionnaire  will 
allow  the  reviewer  to  document  their  reviews  and  will  provide 
some  consistency  among  the  reviewers. 


Recommendation  #15 

We  recommend  the  department  establish  formal  written 
procedures  documenting  the  final  contractor  payment 
review  process. 
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Introduction 


The  Billing  Voucher  System  prepares  a  bill  for  the  Federal 
Highway  Administration  portion  of  the  cost  of  constructing 
Montana's  highways.  Weekly,  the  Billing  Voucher  System 
extracts  transaction  information  from  the  CARES  file  (Chap- 
ter HI)  and  places  it  in  the  billing  voucher  file.  The  information 
extracted  includes  contractor  payments  from  On-Line  Claims, 
engineering  and  other  personal  service  costs  from  the  Payroll 
System,  supplies  from  the  Stores  System  and  vehicle  and  equip- 
ment charges  from  the  Motor  Pool  and  Equipment  Management 
Systems. 

The  Billing  Voucher  System  performs  edit  checks  on  the  validity 
of  the  CARES  data  by  comparing  it  to  information  in  the  billing 
voucher  master  file.  The  billing  voucher  master  file  contains 
background  information  on  each  construction  project  including 
project  number,  agreement  number,  system,  agreement  date, 
approval  date,  federal  and  state  share,  and  status.   In  our  review 
of  the  Billing  Voucher  System  we  tested  input,  processing  and 
output  controls  to  determine  their  adequacy  and  to  evaluate  the 
accuracy  and  integrity  of  billing  voucher  data.   Based  on  the 
results  of  our  review  and  weaknesses  identified  in  the  General 
Controls  area  (Chapter  II),  we  concluded  input  controls  are 
inadequate.  We  noted  processing  and  output  controls  for  the 
Billing  Voucher  System  were  adequate.  The  following  sections 
discuss  our  concerns  with  the  Billing  Voucher  System. 


Billing  Voucher  Date 
Edit 


Federal  Highway  Administration  planning  and  construction 
programs  limit  their  participation  to  costs  incurred  after 
"authorization  to  proceed"  is  granted.   Further,  the  Federal 
Compliance  Supplement  to  OMB  Circular  A- 128  requires  that 
audit  procedures  review  whether  costs  were  incurred  subsequent 
to  the  date  of  authorization  to  proceed. 
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The  date  of  service  or  date  costs  were  incurred  are  not  included 
in  the  CARES  file  or  the  Billing  Voucher  System  file.   In  addi- 
tion, the  system  does  not  contain  an  edit  for  this  attribute. 
Therefore,  the  system  does  not  contain  the  information  necessary 
to  determine  if  costs  incurred  by  the  department  are  eligible  for 
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federal  reimbursement.  The  system  assumes  all  costs  extracted 
from  CARES  are  eligible. 

The  department  adds  a  project  to  the  billing  voucher  master  file 
when  a  project  has  been  authorized.  Adding  a  project  to  the 
master  file  allows  costs  to  be  charged  to  that  project.  Costs 
incurred  prior  to  that  time  are  charged  to  an  overhead  account. 
These  overhead  costs  may  be  transferred  to  the  project  once  the 
department  adds  the  project  to  the  master  file.  Not  all  of  these 
costs  are  eligible  for  reimbursement  depending  on  the  date  of 
service,  which  is  not  available  on  the  master  file. 


Recommendation  #16 

We  recommend  the  department: 

A.  Incorporate  a  date  of  service  field  into  the  CARES 
file  and  Billing  Voucher  System. 

B.  Establish  a  billing  voucher  edit  which  compares  date 
of  service  to  authorization  date. 


Changing  CARES  File  CARES  master  file  contains  construction  project  related  data  in 

Records  addition  to  SBAS  and  management  information.   As  the  Billing 

Voucher  System  extracts  construction  project  information,  it 
tests  the  project  related  data  for  validity.   Errors  are  marked  for 
correction. 

The  data  correction  screen  permits  changes  to  fields  other  than 
those  related  to  the  construction  project.  These  other  fields  may 
have  been  calculated  or  passed  through  other  edits  in  other 
systems.  They  are  supported  by  the  input  document  and  are  the 
amounts  used  by  SBAS  or  the  various  management  systems.  Any 
necessary  changes  to  this  data  should  be  made  through  the  initial 
system  used  to  input  the  document.   Allowing  changes  to  calcu- 
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lated  fields  will  interrupt  the  natural  flow  of  data  processing  and 
will  reduce  existing  internal  controls  over  data  integrity. 

Employees  correcting  data  related  to  construction  projects  state 
they  do  not  change  other  data  because  then  it  would  not  agree 
with  the  source  systems.  Any  changes  of  this  type  would  only 
occur  accidentally.  The  department  should  restrict  editing  to 
only  those  fields  in  error,  or  at  a  minimum  periodically  review 
changes  made. 


Recommendation  #17 

We  recommend  the  department  restrict  editing  to  only 
those  data  fields  on  CARES  which  relate  to  the  construc- 
tion projects. 
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Introduction 


The  objectives  of  our  EDP  audit  were  to  determine  if  the 
department  is  properly  protecting,  maintaining,  and  preserving 
the  integrity  of  data  in  its  computer-based  information 
resources.  We  accomplished  this  by  reviewing  the  adequacy  of 
the  department's  implementation  of  general  and  application 
controls.  We  reviewed  the  department's  general  controls  as  they 
relate  to  the  state  mainframe  and  the  department's  mini- 
computers. We  included  a  review  of  application  controls  of  four 
of  the  department's  major  EDP  systems  (CARES,  On-line 
Claims,  Construction  Progress  Estimate,  and  Billing  Voucher). 
We  determined  if  controls  over  data  exist  and  are  adequate  to 
ensure  the  accuracy  and  integrity  of  data  maintained  on  the 
systems. 


General  Controls 


In  our  review  of  the  department's  general  control  environment, 
we  found  organizational  and  physical  controls  were  adequate. 
We  noted  concerns  with  the  general  control  environment  relating 
to  weaknesses  in  electronic  access  assignments,  data  procedural 
controls,  and  system  development  and  maintenance  procedure 
controls. 


These  concerns  are  as  follows: 

1.  Programmer's  system  access  exceeds  their  job  require- 
ments. 

2.  Programmers  backup  the  I/O  function.  The  two  functions 
are  incompatible. 

3.  Procedure  for  updating  access  rules  should  be  improved. 

4.  Employees  share  logon  IDs  and  passwords  which  limits 
accountability  for  work  done. 

5.  The  input/output  controller  manual  is  incomplete  for 
ensuring  jobs  are  adequately  processed. 

6.  Maintenance  changes  to  existing  programs  do  not  require 
management's  approval  or  review. 
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7.       The  department's  contingency  plan  for  ensuring  continued 
operations  in  the  event  of  a  disaster  should  be  updated  in 
order  to  comply  with  section  1-0240.00,  MOM. 

The  above  seven  areas  of  concern  impact  all  of  the  department's 
computerized  data  processing  operations.  General  controls  pro- 
vide a  basis  of  reliability  and  data  integrity  for  all  systems. 
Applications  used  within  a  weak  general  control  environment 
will  reduce/eliminate  the  reliance  which  can  be  placed  on  the 
information  they  generate. 


Application  Controls 


In  our  review  of  four  critical  computerized  department  applica- 
tions, we  noted  concerns  dealing  with  input,  processing,  and 
output  controls. 

The  Cost  Accounting  and  Record  Entry  System  (CARES)  derives 
data  from  the  following  six  subsystems:  On-line  Claims,  Payroll 
Subsystem,  Stores  System,  Maintenance  Management  System 
(MMS),  Equipment  Management  System  (EMS),  and  Motor  Pool 
Management  System  (MPMS). 

We  noted  each  subsystem  verifies  the  entered  data  through  input 
and/or  processing  edits.  The  various  systems  use  data  contained 
in  CARES  to  update  other  files  and  to  generate  reports.  We 
determined  the  input  controls  for  Payroll,  On-line  Claims,  and 
MPMS  are  adequate  to  ensure  the  integrity  of  respective  data 
stored  on  the  CARES  file.   In  addition,  we  noted  the  integrity  of 
the  input  data  stored  on  the  CARES  file  which  originated  from 
EMS,  MMS,  or  Stores  is  questionable.  Since  all  of  the  systems 
feed  data  into  or  receive  data  from  CARES,  if  unreliable  data 
enters  one  system  it  will  affect  another  and  another,  causing  the 
entire  system  to  lose  data  integrity.  The  CARES  file  does 
contain  erroneous  information. 

The  Progress  Estimate  System  collects  project  data  of  materials 
used  to  determine  the  payment  amount  due  contractors.  We 
reviewed  the  Progress  Estimate  System  to  determine  the  ade- 
quacy of  the  controls  present  in  the  system.   In  our  review  we 
found  weaknesses  in  the  controls.  We  noted  data  processing 
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procedures  were  not  completely  implemented.   Interim  con- 
tractor payment  procedures  do  not  ensure:   1 )  data  transfer 
integrity,  2)  material  usage  changes  are  documented,  3)  district 
and  headquarters  approvals  are  documented,  and  4)  monthly 
reports  are  controlled.    In  addition,  the  final  project  review 
procedures,  which  ensure  contractor  payments  are  accurate,  do 
not  prevent  errors  from  occurring.   Based  on  these  findings,  we 
concluded  controls  over  the  Progress  Estimate  System  are 
inadequate  and  we  question  whether  the  department's  objectives 
in  implementing  the  Progress  Estimate  System  have  been  met. 

The  Billing  Voucher  System  review  included  testing  input, 
processing  and  output  controls  to  determine  their  adequacy  and 
to  evaluate  the  accuracy  and  integrity  of  billing  voucher  data. 
Based  on  the  results  of  our  review  and  weaknesses  identified  in 
our  General  Controls  testing  (programmers  had  unlimited/un- 
necessary access  to  data  and  act  as  backup  I/O  operators),  we 
concluded  input  controls  are  inadequate.   We  noted  processing 
and  output  controls  for  the  Billing  Voucher  System  were 
adequate. 


Summary  In  conclusion,  our  EDP  audit  identified  significant  weaknesses  in 

the  department's  establishment  of  general  and  application  con- 
trols. The  weaknesses  we  identified  impact  the  integrity  of  data 
maintained  on  the  systems  and  the  long-term  usefulness  of  the 
department's  computer-based  information.   The  department  was 
aware  that  control  weaknesses  existed,  and  should  be  com- 
mended for  requesting  an  EDP  audit. 
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Montana  Department 
of  Transportation 


March   12,    1992 


Scott  A.  Seacat 
Legislative  Auditor 
Room  135 
State  Capitol 
Helena,  Mt  59620 


2701   Prospect  Avenue 
Helena, MT  59620-9726 


Stan  Stephens.  Governor 

!i  'J J   ; 
ji!j  MAR  I  3  1992 


Subject:   Department  of  Transportation's  EDP 
Audit  Report  dated  April  1992 


I  am  transmitting  our  response  to  the  audit  performed  by 
your  office. 

Thank  you  for  your  staff's  effort  and  cooperation  during 
this  audit. 

you  have  guest ions  concerning  our  response,  please  call 
»  at  >44-6201> 


%A^ 


John  Rothwell 
director  of  Highways 

JR : DGZ : D : AC : 2  3 . cm 


An  Equal  Opportunity  Employer 
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RESPONSES  TO  EDP  AUDIT  REPORT 
March  12,  1992 


Recommendation  #1 

We  recommend  the  department  remove  programmer  access  rights 
to  master  data  files  or  log  and  review  programmer  access  to 
these  files. 


Response 

Concur . 

We  have  limited  access  rights  to  master  data  files  to  the 
programmer (s)  responsible  for  each  application.   Other 
programmers  no  longer  have  access  as  they  did  in  the  past. 

It  should  be  noted  that  programmers  having  access  to  master 
data  files  were  granted  that  access  by  the  primary  user  or 
owner  of  the  application  system  involved.   This  is 
documented  on  the  Department's  Data  Security  Form  501. 

We  will  log  and  review  programmer  access  to  those  master 
data  files  deemed  to  be  sensitive  or  critical. 


Recommendation  #2 

We  recommend  the  department: 

A.  Delete  the  universal  I/O  access  for  all  programmers. 

B.  Adequately  cross  train  input/output  controllers. 

Response 

A.  Concur. 

This  recommendation  has  been  implemented.   Our  programmers 
no  longer  have  access  to  I/O  procedures  for  job  submission. 

B.  Concur. 

This  recommendation  has  been  implemented.   Our  input/output 
controllers  are  cross  trained. 
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Recommendation  #3 

We  recommend  the  department: 

A.  Periodically  review  established  access  rules. 

B.  Generate,  review,  and  follow  up  on  access  violations 
for  sensitive  or  critical  applications  on  its 
minicomputer  systems. 

Response 

A.  Concur. 

Our  Information  Resource  Management  Coordinator  will  update 
application  data  security  forms  and  review  the  associated 
ACF2  access  rules  once  a  year. 

B.  Concur. 

We  provide  users  the  capability  to  restrict  access  to  their 
applications  when  needed  in  both  the  ORACLE  and  non-ORACLE 
environments  on  the  VAX.   An  unauthorized  user  trying  to 
access  a  file  will  not  be  granted  access.   We  have  the 
capability  to  log  access  violations  (  i.e.  attempts  at 
access)  in  these  environments  but  feel  it  would  be  time 
consuming  and  unproductive  considering  the  numerous  user 
applications  and  systems  involved.   We  will  pursue  this 
recommendation  if  and  when  sensitive  or  critical  files  are 
added  to  the  VAX  environment. 


Recommendation  #4 

We  recommend  the  department  security  officer  notify 
Accounting  Bureau  of  all  employee  work  location  changes 
which  effect  access  to  the  on-line  claims  system. 


Response 

Concur. 

The  intent  of  this  recommendation  has  been  met.   Our  Human 
Resources  Office  now  notifies  the  Accounting  Services 
Bureau,  Accounts  Payable  Section  of  employee  changes  in 
location  or  employment  status. 
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Recommendation  #5 

We  recommend  the  department: 

A.  Discontinue  use  of  group  logon  IDs. 

B.  Assign  adequate  access  to  each  logon  ID  to  permit  each 
employee  to  do  his/her  job. 

C.  Emphasize  to  employees  the  importance  of  keeping 
passwords  secure. 

Response 

A.  Concur. 

It  is  the  Department's  goal  to  reduce  group  ID's.  For  the 
most  part,  we  have  eliminated  group  ID'S  for  our  mainframe 
and  VAX  computer  systems.  There  are  two  areas  where  this 
has  not  been  achieved: 

1.  Series  1  Computers 

Our  Series  1  computers  will  be  phased  out  in  about 
one  year.   The  job  related  group  ID'S  that  exist 
today  will  cease  at  that  time. 

2.  CADD  on  the  VAX  785 

We  will  be  replacing  our  VAX  785  server  in  the 
next  six  months.   At  that  time,  we  will  require 
unique  ID'S  for  all  CADD  users. 

B.  Concur. 

C.  Concur. 

We  will  reemphasize  the  importance  of  keeping  passwords 
secure  in  our  computer  training  sessions,  management  level 
meetings,  field  visits,  and  manuals.   This  will  be  a  topic 
of  discussion  in  our  future  Computer  Users  Group  meetings. 
A  management  memo  on  this  subject  will  also  be  issued  to  all 
offices. 

It  should  be  noted  that  no  matter  how  much  security  we  build 
into  our  systems,  there  is  no  way  to  prevent  people  from 
sharing  their  ID'S  and  passwords  with  one  another. 
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Recommendation  #  6 

We  recommend  the  department: 

A.  Update  the  I/O  controller  manual  to  document  a  problem 
resolution  guide,  procedures  for  distributing  computer 
output,  and  a  requirement  for  a  complete  job  request 
for  each  job  run; 

B.  Establish  procedures  for  appropriate  distribution  of 
computer  output. 

Response 

A.  Concur. 

Manuals  do  exist  for  processes  that  are  I/O  controller 
submitted.   We  will  have  our  I/O  Controller  Supervisor 
upgrade  these  manuals  to  provide  more  processing 
documentation,  problem  resolution  information,  and  output 
distribution  procedures.   We  will  also  require  users  to 
request  special  job  runs  through  our  E-Mail  system.   An 
E-Mail  file  will  be  maintained  to  provide  an  audit  trail  for 
user  requests. 

B.  Concur. 

We  have  already  established  new  security  procedures  for  the 
distribution  of  computer  output.   We  have  also  requested  a 
bin  system  be  built  to  provide  complete  output  security. 


Recommendation  #7 

We  recommend  the  department  establish  procedures  to 
authorize  and  review  system  maintenance  changes. 


Response 

Concur. 

All  changes  made  to  existing  systems  for  the  purpose  of 
enhancing  or  modifying  those  systems  are  supported  by 
authorized  user  work  requests.   For  "bugs"  encountered  in  a 
program,  changes  related  to  these  will  be  reported  in  the  DP 
Project  Management  System  as  dynamic  projects. 
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Recommendation  #  8 

We  recommend  the  department: 

A.  Comply  with  the  contingency  guidelines  for  agencies 
specified  in  section  1-0240.00,  MOM. 

B.  Periodically  test  the  contingency  plan. 

Response 

A.  Concur. 

It  should  be  noted  that  The  State  of  Montana  Data  Processing 
Managers  Group  (DPMG)  is  currently  establishing  procedures 
for  contingency  planning  for  state  agencies.   We  will  comply 
with  all  procedures  approved  by  DPMG. 

B.  Concur. 


Recommedation  #  9 

We  recommend  the  department: 

A.  Ensure  field  offices  follow  Accounting  Services  Bureau 
policy  regarding  the  automated  invoice  file. 

B.  Evaluate  an  automated  prevention  or  detection  process 
which  identifies  potential  duplicate  payments. 

Response 

A.  Concur. 

The  Accounting  Services  Bureau  will  continue  to  stress  the 
importance  of  using  the  automated  invoice  file  during 
training  sessions.   We  will  also  work  with  management  of 
these  offices  to  develop  understanding  and  compliance  with 
the  policy. 

B.  Concur. 

We  will  evaluate  the  feasability  of  an  automated  prevention 
or  detection  process  which  identifies  potential  duplicate 
payments. 

The  Accounting  Procedures  Manual,  Sections  11-110.00  and  11- 
12  0.00  refer  to  the  Department's  on-line  invoice  file  and 
checking  for  duplicate  payments  prior  to  inputting  an 
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invoice  into  the  Highway  On-line  Claims  system. 

The  Highway  On-line  Claims  system  provides  an  automated 
invoice  file  which  lists  all  invoices  (paid  or  unpaid)  that 
have  been  input.   An  invoice  file  is  maintained  for  each 
payee. 


Recommendation  #  10 

We  recommend  the  department  limit  access  to  department 
personnel  records  to  those  authorized. 


Response 

Concur . 

This  has  been  done.   Based  on  work  reguest  #910740  dated 
4/8/91,  the  P001  prompt  (the  old  access  method)  was 
eliminated. 


Recommendation  #  11 

We  recommend  the  department  implement  documented  procedures 
which  ensure  the  Stores  system  properly  accounts  for 
inventory  purchases  and  updates  useage  data. 


Response 

Concur. 

The  Accounting  Services  Bureau  now  receives  all  stores 
adjustment  reguests  and  verifies  that  the  actual  adjustments 
are  made  by  the  Helena  Headguarters  stockperson.    If  an 
adjustment  is  related  to  our  claims  match  process,  then  the 
adjustment  must  be  made  and  verified  before  the  claims  match 
file  is  purged. 

We  will  work  with  Purchasing  Services  Bureau  and  district 
personnel  regarding  training,  procedures,  and  review  of 
reports. 
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Recommendation  #  12 

We  recommend  the  department  ensure  Stores  user  manuals  are 
current  and  timely  updated. 


Response 

Concur. 

The  Stores  user  information  is  in  two  manuals:  the 
Accounting  Services  Bureau  Procedures  Manual-  Stores  chapter 
7  which  is  updated  twice  a  year,  and  the  CICS  computer 
manual  which  is  current. 

The  Department  is  in  the  process  of  updating  the  VAX  system. 
During  this  process,  an  entirely  new  stores  manual  will  be 
written.   We  do  not  feel  it  is  cost  effective  to  rewrite  the 
old  manual  reflecting  a  system  that  is  being  updated. 


Recommendation  #  13 

We  recommend  the  department  establish  and  document  a 
supervisory  review  of  MMS  activity  reports. 


Response 

Do  not  concur. 

MMS  is  primarily  an  internal  management  information  system, 
not  an  accounting  system.    Road  oil  and  gravel  inventories, 
which  are  based  in  MMS,  are  controlled  through  an  annual 
inventory  process  and  claims  match  procedure.   Maintenance 
A/R's,  which  are  generated  by  MMS,  are  reviewed  and  approved 
before  billing  occurs.   For  the  MMS  system  as  a  whole,  a 
series  of  checks  and  balances  are  employed.   MMS  balances  to 
eguipment  and  payroll  files,  and  stores  issues  are  input  per 
policy  and  directive  of  the  Purchasing  Services  Bureau. 

A  consultant  study  of  MMS  was  recently  completed,  with 
recommendations  made  to  improve  the  system.   An  internal  MMS 
committee  is  currently  reviewing  the  consultant 
recommendations.   We  will  pass  your  recommendation  on  to 
that  committee. 
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Recommendation  #  14 

We  recommend  the  department: 

A.  Restructure  the  progress  estimate  interim  payment 
system  to  provide  control  over  the  data  between  the 
field  project  manager  and  the  contractor  payment. 

B.  Document  district  and  Construction  Bureau  review  of  the 
progress  estimates. 

Response 

A.  Concur. 

We  will  investigate  implementing  an  electronic  authorization 
by  district  management. 

B.  Concur. 

The  review  process  will  be  covered  in  more  detail  in  the  new 
construction  manual. 


Recommendation  #  15 

We  recommend  the  department  establish  formal  written 
procedures  documenting  the  final  contractor  payment  review 
process. 


Response 

Concur. 

The  Department  already  has  formal  written  procedures 
documenting  the  final  contractor  payment  review  process. 
However,  we  will  also  specify  sampling  procedures  which  will 
be  used  to  check  final  payment  calculations. 

The  Construction  Manual  provides  general  guidelines  for 
processing  final  estimates.   A  final  estimate  review  report, 
used  by  both  the  district  offices  and  the  Construction 
Bureau,  lists  the  specific  items  that  must  be  verified  and 
approved  before  final  payment  is  made  to  the  contractor. 

We  also  rely  on  the  knowledge  and  experience  of  our  review 
staff  in  dealing  with  the  many  different  variations  in 
contracts.   No  one  written  procedure  can  cover  all  the 
differences  in  contracts  that  we  encounter. 
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Recommendation  #  16 

We  recommend  the  department: 

A.  Incorporate  a  date  of  service  field  into  the  CARES  file 
and  billing  voucher  system. 

B.  Establish  a  billing  voucher  edit  which  compares  date  of 
service  to  authorization  date. 

Response 

Do  not  concur. 

Costs  cannot  be  charged  to  a  project  or  project  phase  until 
FHWA  authorization  is  received.   Once  a  project  or  project 
phase  is  authorized,  the  CARES  and  Billing  Voucher  Systems 
are  activated  to  accept  costs.   Since  journals  can  deal  with 
prior  period  costs,  both  the  Accounting  Bureau  and  Financial 
Management  Bureau  closely  review  them  to  assure  compliance. 


Recommendation  #  17 

We  recommend  the  department  restrict  editing  to  only  those 
data  fields  on  CARES  which  relate  to  the  construction 
projects. 


Response 

Do  not  concur. 

Authorized  Accounting  personnel  must  be  able  to  access  and 
make  necessary  changes  to  CARES  data  fields,  other  than 
project  related  fields,  in  order  to  correct  errors  input 
from  source  systems,  correct  imbalances  between  all  source 
totals  and  data  entry  totals,  and  to  assure  that  internal 
systems  balance  to  external  systems,  such  as  SBAS.   All 
changes  are  supported  by  CARES  edit  reports,  trial  balance 
runs,  memorandums,  etc.   A  monthly  printout  of  all  CARES 
changes  is  also  generated  and  reviewed  by  Accounting.   Also, 
as  a  compensating  control,  the  Accounting  Services  Bureau 
now  periodically  reviews  edit  changes  made. 
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